Login Sign Up

CVE-2023-1456

7.2 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-1456 is a post-authentication command injection vulnerability in Ubiquiti EdgeRouter X's NAT Configuration Handler. Attackers with administrative access can execute arbitrary commands on the router. This affects EdgeRouter X users with the vulnerable firmware version.

💻 Affected Systems

Products:
  • Ubiquiti EdgeRouter X
Versions: 2.0.9-hotfix.6
Operating Systems: EdgeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires administrative access to exploit. Vendor considers post-authentication issues not vulnerabilities.

📦 What is this software?

Edgerouter X Firmware by Ui

View all CVEs affecting Edgerouter X Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing persistent backdoor installation, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Attackers with stolen or default credentials gain full control of the router to modify configurations, intercept traffic, or use as pivot point.

🟢

If Mitigated

Limited to authenticated attackers only, with proper credential management preventing exploitation.

🌐 Internet-Facing: HIGH - Edge routers are typically internet-facing, and the vulnerability can be exploited remotely after authentication.
🏢 Internal Only: MEDIUM - Internal attackers with administrative access could exploit, but requires network access and credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires administrative credentials. Public disclosure increases weaponization likelihood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor does not consider post-authentication issues vulnerabilities

Restart Required: No

Instructions:

No official patch available. Consider upgrading to latest firmware version if available.

🔧 Temporary Workarounds

Restrict Administrative Access

linux

Limit administrative access to trusted IP addresses only

configure
set service gui listen-address <trusted_ip>
commit
save

Disable Unused NAT Features

linux

Disable NAT configuration features if not required

configure
delete service nat
commit
save

🧯 If You Can't Patch

  • Change all default administrative credentials to strong, unique passwords
  • Implement network segmentation to isolate the router from critical internal systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version: show version | grep Version

Check Version:

show version | grep Version

Verify Fix Applied:

Verify firmware is updated beyond 2.0.9-hotfix.6 or workarounds are implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual NAT configuration changes
  • Multiple failed login attempts followed by successful login
  • Commands executed via NAT configuration interface

Network Indicators:

  • Unexpected outbound connections from router
  • Unusual traffic patterns from router management interface

SIEM Query:

source="edgerouter" AND (event="nat_config" OR event="command_execution")

📊 Metadata

CVE ID: CVE-2023-1456
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: March 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1456, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)